CVE-2023-5193 MEDIUM

CVE-2023-5193: System Role with manage posts permission can read posts of Direct Messages

Vendor Mattermost
Product Mattermost
Weakness CWE-863 · Incorrect authorization
Published September 29, 2023
Last update September 20, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.

Key dates

02Disclosure timeline

September 29, 2023 CVE published
September 20, 2024 Record updated